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(54) Method and apparatus for dynamically controlling the provision of differentiated services 



(57) An apparatus comprising a network interface, 
through which the apparatus facilitates communication 
between a client device and a remote device and a con- 
troller is presented. In accordance with one aspect or 
the present invention, the controller, coupled to the net- 
work interface, dynamically creates and removes 



admission filters based, at least in part, on an admis- 
sions profile that, when triggered, the filter(s) initiate an 
admission control decision preventing premature alloca- 
tion of resources which are not used or authorized. 
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Description 

COPYRIGHT NOTICE 

[0001 ] A portion of the disclosure of this parent doc- 
ument contains material which is subject to copyright 
protection. The copyright owner has no objection to the 
facsimile reproduction by anyone of the patent docu- 
ment or the patent disclosure, as it appears in the Pat- 
ent and Trademark Office patent file or records, but 
otherwise expressly reserves all rights whatsoever in 
said copyright works. 

RAOKGROUN n OF THE INVENTION 
1. Field of the Invention 

[0002] The present Invention relates to the field of 
data networking and, in particular, to a method and 
apparatus for dynamically controlling the provision of 
differentiated services. 

2 Rackoro tinri Information 

[0003] As computer technology has evolved, so too 
has the use of networks which communicatively couple 
computer systems together enabling them to communi- 
cate with one another. One of the more popular of such 
computer networks is colloquially referred to as the 
Internet, which is an internetworking of a number of 
publicly accessible networks and servers distributed 
throughout the world. The Internet provides the commu- 
nication means by which individual enterprise networks 
(e.g., Local Area Networks (LANs), Wide Area Net- 
works (WANs), and the like), servers and other network 
devices communicate with one another. Individually, the 
networks/servers comprising the Internet come in many 
different topologies, employing a corresponding number 
of alternative communication technologies. One of the 
- profound advantages of the Internet is that communica- 
tion at the network layer is standardized around a stand- 
ard set of communication protocols commonly referred 
to as the Internet communication suite. By adhering to 
the Internet communication suite, any network device 
can communicate with any other network device, effec- 
tively creating a single, seamless ubiquitous network. 
[0004] Once the domain of government agencies 
and academic institutions, the Internet has grown to 
become a form of entertainment in many parts of the 
world, as well as a source of commerce. However, the 
increased popularity of the Internet has also revealed 
some of its limitations. One such limitation is bandwidth 
management. That is to say, the increased popularity of 
the Internet has resulted in increased congestion, for 
which the Internet is ill-equipped to manage. 
[0005] One reason for the Internet's limited ability to 
manage congestion centers around its "best-effort" 
service level paradigm. Simply stated, in communicat- 



ing data packets from one network device to another, 
each intervening network device processes data traffic 
in the order in which it was received and selects the best 
route currently available to deliver the data packets to its 

5 destination, If a network device is overburdened, or the 
data packets are corrupted in transit (e.g., due to noise 
or other factors), the data packers may be dropped 
requiring re-trahsmission. While dropped or re-transmit- 
ted data packets are not a problem for many applica- 

■10 tions, it does pose a problem for multimedia applications 
executing over the Internet. Moreover, the best-effort 
service level of the Internet does nor take into account 
that certain data packets are more time-sensitive than 
others. 

is [0006] To illustrate this last point, consider for 
example computer telephony applications, the so-called 
Internet telephones. The speech quality and cognition 
provided by computer telephony applications are heav- 
ily dependent upon a network's ability to transmit data 

20 packets from the source to the destination in a near 
real-time fashion, without dropping packets or otherwise 
requiring re-transmission. Dropped or re-transmitted 
data packets may well result in choppy, unintelligible 
speech at to receiving end of the communication; 

25 [0007] To overcome the limitations of the best-effort 
service paradigm, the Internet Engineering Task Force 
(IETF), an association of networking professionals, 
have proposed inclusion of differentiated services in the 
Internet standard, providing different levels of service 

30 within the bandwidth or the Internet. Differentiated serv- 
ices enable an application/network device/enterprise 
network/etc. to reserve communication bandwidth with 
which to facilitate transmission of data packets between 
a source and destination. Those skilled in the art will 

35 recognize that reserving bandwidth using to differenti- 
ated services paradigm comes at a cost. That is, Inter- 
net Service Providers (ISP) and other Internet access 
points charge a premium to secure and dedicate band- 
width to individual clients/applications. Even if there is 

40 not a per-use coat associated with the use of differenti- 
ated services, there is an inherent cost in dedicating 
equipment on a per-port basis to support such differen- 
tiated services. Consequently, simply adding more ports 
to alleviate congestion and provide differentiated serv- 
es ices is a costly solution. 

[0008] To more effectively manage the costly 
resources required to provide differentiated services, it 
is known to install filters on network edge device which 
control the provision of differentiated services. Thus, 

so rather than simply dedicating bandwidth to support a 
service level between two networks, a such bandwidth 
is not allocated until such time as network traffic satisfy- 
ing filter criteria is detected. One skilled in the art will 
appreciate, however, that the network devices can 

55 quickly became over-burdened with such filters. 

[0009] Thus, a method and apparatus for dynami- 
cally controlling the provision of differentiated services 
is presented, unencumbered by the deficiencies and 
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inherent limitations commonly associated with the net- 
work devices of the prior art. It will be apparent to those 
skilled in the art, from the description to follow, that the 
present invention achieves these and other desired 
results. 

SUMMARY OF THE INVENTION 

[0010] In accordance with the teachings of the 
present invention, a method and apparatus for control- 
ling access to a network information source is provided. 
In particular, in accordance with one embodiment of the 
present invention, an apparatus comprising a network 
interfare, through which the apparatus facilitates com- 
munication between a client device and a remote device 
and a controller is presented, in accordance with one 
aspect of the present invention, the controller, coupled 
to the network interlace, dynamically creates and 
removes admission filters based, at least in part on an 
admissions profile such that, when triggered, the fil- 
ters) initiate an admission control decision preventing 
premature allocation of differentiated services 
resources which are not used or authorized. 

BRIEF DESCRIPTION OF DRAWINGS 

[0011] The present Invention will be described by 
way of exemplary embodiments, but not limitations, 
illustrated in the accompanying drawings in which like 
references denote similar elements, and in which: 

Figure 1 illustrates a block diagram of an example 
data network within which the teachings of the 
present inventions may be practiced. In accordance 
with one embodiment of the present invention; 
Figure 2 illustrates a block diagram of a network 
device incorporating the teachings at the present 
invention, in accordance with one embodiment of 
the present invention; 

Figure 3 illustrates a flow chart of an example 
method for dynamically controlling the provision of 
differentiated services, in accordance with one 
embodiment of the present invention; 
Figure 4 illustrates an example communication 
packet suitable for use in the example network of 
Figure 1 , in accordance with one embodiment of 
the present invention; 

Figure 5 graphically illustrates an example profile 
database from which trigger filters and admission 
profiles are dynamically generated, in accordance 
with one embodiment of the present invention; and 
Figure 6 illustrates a block diagram or an example 
network device incorporating the teachings of the 
present invention, in accordance with an alternate 
embodiment of the present invention. 



DETAILED DESCRIPTION OF THE INVENTION 

[0012] In the following description, various aspects 
of the present invention will be described. However, it 

5 will be apparent to those skilled in the art that the 
present invention may be practiced with only some or all 
aspects of the present invention. For purposes of expla- 
nation, specific numbers and configurations are set 
forth in order to provide a thorough understanding of the 

io present inventive. However, it will also be apparent to 
those skilled in the art that the present invention may be 
practical without these specific details. In other 
instances, well known features are omitted or simplified 
for clarity. 

is [001 3] A portion of the disclosure of this patent doc- 
ument contains material which is subject to copyright 
protection. The copyright owner has no objection to the 
facsimile reproduction by anyone of the patent docu- 
ment or the patent disclosure, as H appears in the Pat- 

20 ent and Trademark Office patent file or records, but 
otherwise expressly reserves all rights whatsoever in 
said copyright works. 

[0014] In alternative embodiment, the present 
invention may be applicable to implementations of the 

25 invention in integrated circuits or chip sets, wireless 
implementations, switching system products and trans- 
mission systems products. For purposes of this applica- 
tion, the was switching systems products shall be taken 
to mean private branch exchanges (PBXs), central 

30 office switching systems that interconnect subscribers, 
toll/tandem switching systems for interconnecting trunks 
between switching centers, and broadband core 
switches found at the center of a service provider's net- 
work that may be fed by broadband edge switches or 

35 access multiplexers, and associated signaling, and sup- 
port systems and services. The term transmission sys- 
tems products shall be taken to mean products used by 
service providers to provide interconnection between 
their subscribers and their networks such as loop sys- 

40 terns, and which provide multiplexing, aggregation and 
transport between a service provider's switching sys- 
tems across the wide area, and associated signaling 
and support systems and services. 
[0015] Turning to Figure 1, an example data net- 

45 work within which the teachings of the present invention 
are practiced is presented, in accordance with one 
embodiment of the present invention. In accordance 
with the illustrated example embodiment of Figure 1 , 
data network 100 is shown comprising a plurality of di- 
sc ents (112, 114, 116, 120, 122, 128 and 130) communi- 
catively coupled to a network core device 108 via a 
network edge device (110, 118, and 124) as shown. 
Those skilled in the art will appreciate, from the descrip- 
tion to follow, that network edge devices 110.118 and/or 

55 1 24 incorporating the teachings of the present invention 
dynamically provision the differential services offered by 
and through core device(s) 1 08 on an as-needed, as- 
authorized basis, thereby minimizing the resources 
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required of the network edge device and the network to 
support differentiated services. More specifically, net- 
work edge devices 110, 118 and/or 124, in conjunction 
with a bandwidth broker, dynamically create and 
remove filters that, when triggered, initiate an admission 
decision controlling provision of end access to to differ- 
entiated services of data network 100. Accordingly, a 
network device incorporating the teachings of the 
present invention ensures that the differentiated serv- 
ices of data network 100 are not provisioned until they 
are needed and authorized, thereby preventing the allo- 
cation of unused network resources and reducing the 
operating cost of data network 100. These and other 
aspects, of the present invention will be apparent to 
those skilled in the art based on the description to fol- 
low. 

[0016] As depicted In Figure 1, client computers 
112, 114 and 116 are coupled to a common network 
103! which is coupled to core device 108 via network 
edge device 110. In one embodiment clients 112, 114 
and 116 along with network edge device 110 form a 
local area network (LAN) 102. Similarly, clients 128 and 
130, bandwidth broker 126 and network edge device 
124^ coupled via network 105 form LAN 104. while cli- 
ents 120 and 122 coupled to network edge device 118 
via network 107 form LAN 106. As shown, each of LANs 
102. 104 and 106 are coupled to a common network 
core device, e.g., core device 108. In one embodiment, 
the combination of LANs 102, 104 and 106 coupled to a 
comman core device 108 form a domain of an enter- 
prise-wide network, also commonly referred to as a 
wide area network (WAN) or wide area information sys- 
tem (WAIS). In an alternate embodiment, core device 
108 is one of a plurality of network core devices com- 
prising a global data network, e.g.. the Internet. 
[0017] As depicted, example data network 100 of 
Figure 1 much like the typical prior art network 
described above, with the notable exception that access 
filters arc dynamically established and removed on net- 
work edge devices 110,118 and 1 24, incorporating the 
teachings of the present invention, to control access to 
the differentiated services offered by core device 108. 
The filters are installed on an as-needed, as-authorized 
basis, thereby preserving network resources as well fil- 
ter resources of the network edge device. Accordingly, 
chose skilled in the art will appreciate that data network 
100 is intended to represent any of a number network 
architectures employing any of a number of alternative 
communication protocols known or anticipated in the 
art. Thus, except for the teachings of the present inven- 
tion to be described more fully below, as used herein the 
term network device is broadly employed to describe 
any of a number of alternative network devices com- 
monly known and used in the data networking arts to 
support communication between network elements. 
[0018] As used herein, bandwidth broker 126 of 
LAN 104 controls provision of differentiated services at 
a network level for the domain associated with core 



device 108. Accordingly, bandwidth broker maintains 
"bandwidth pools" for each class of service supported 
by network core device 108. In accordance with one 
embodiment of the present invention, bandwidth broker 
5 126 also maintains an admission policy database, 
which correlates subscribed services to admission ti- 
ters and classifier profiles that, when triggered, are 
installed on or removed from network edge devices 
incorporating the teachings of the present invention, as 
10 appropriate. TTius, in accordance with one aspect of the 
present invention, bandwidth broker 126 awaits and 
removes admission filters (also referred to as access fil- 
ters, or policy filters) and classifier profiles on network 
edge devices incorporating the teachings of to present 
, 5 invention, e.g., 110, 118 and/or 124 to control provision 
of the differentiated services offered by core device 108. 
Although depicted so a seperate entiry, those skilled in 
the art will appreciate from the description to follow that 
bandwidth broker 126 may well be integrated with one 
20 or more of network edge devices 1 1 0,1 1 8 and/or 1 24. 
[0019] As used herein, clients, e.g.. 112, 114, 116, 
120, 122, 128 and/or 130 are intended to represent any 
of a number of alternative computing devices known in 
the art. In one embodiment, for example, clients are typ- 
2B ical desktop computers coupled to subnetworks as is 
well known in the art. In an alternate embodiment cli- 
ents are the so-called network computers, i.e.. comput- 
ers which rely on a network server for application and 
hard drive storage. In an alternate embodiment, client 
30 102 is an electronic appliance, e.g., a webTV™ Internet 
Terminal available from Sony Electronics, Inc. of Park 
Ridge, NJ, that enables one to utilize the resources of 
data network 100 without the need of a full-featured 
computer system. 
35 [0020] In accordance with the illustrates example 
data network of Figure 1 , core device(s) 108 is intended 
to represent any of a number of core network devices 
known to those skilled in the art which provide differen- 
tiated service levels of communication. In one embodi- 
40 ment, for example, core device 108 is a network 
switching cancer comprising a number of switches, 
hubs, routers and servers. In an alternate embodiment, 
core device 108 is a switch. In an alternate embodi- 
ment, core device 108 is a server supporting network 
45 switching and communications. 

[0021] Similarly, the communication links illustrated 
in Figure 1 may be any of a wide range of conventional 
wireline and wireless communication media, and may 
be different for different clients, servers, bandwidth bro- 
50 ken and other network devices. For example, a commu- 
nication link may be a cable, a fiber optic cable, or may 
represent a nonphysical medium transmitting electro- 
magnetic signals in the electromagnetic spectrum. 
Additionally, a wireless communication link way also 
55 include any number of conventional routing or repeating 
devices, such as satellites or electromagnetic signal 
repeaters or basestations. Irregardless of the form of 
communication medium, data is typically transferred 



X 



7 EP 1 024 642 A2 8 



between network elements using any of a number of 
data communication protocols. In accordance with such 
data communication protocols, data is generally trans- 
ferred between network elements in units commonly 
referred to as packets, frames, datagrams and the like. 
Typically, such packet includes data, a source address 
and a target address. As will be described in greater 
detail below, additional control information, generally 
included In a header, may also be included in the 
packet. The number of bytes of data contained within a 
packet is dependent upon the communication resources 
of the client, the host and the network protocol 
employed. 

[0022] Having introduced the operating environ- 
mant for the present invention, a block diagram of an 
example network edge device incorporating the teach- 
ings of the present invention in provided with reference 
to Figure 2. As depicted, Figure 2 illustrates a block 
diagram of an example network device 200 incorporat- 
ing the teachings of the present invention, in accord- 
ance with one embodiment of the present invention. In 
one embodiment, network device 200 may well be ben- 
eficially incorporated into network 1 00 as one or more of 
network edge devices 110, 118 and/or 124. Further, us 
alluded to above, except for the teachings of the present 
invention, network edge device 200 is intended to repre- 
sent any of a number of alternative network devices 
commonly used and known in the art. Thus, those 
skilled in the art will appreciate that to present invention 
may be practiced in any of a number of alternate 
embodiments without deviating from the spirit and 
scope of the present invention. 

[0023] As presented in the example embodiment of 
Figure 2, network device 200 is shown comprising 
input/output driven 202 and 208, network Interface 204 
and controller 206 coupled as shown. In accordance 
with one aspect of the present invention, so be devel- 
oped most fully below, controller 206 controls the 
dynamic provision of filters 210 and classifier profiles 
222 providing access to the differentiated services 
offered within the domain of resident core device(s). 
Although depicted as separate entities, those skilled in 
the art will appreciate that this is for ease of explanation 
only, and that controller 206 may well be incorporated 
as a functional block of network interface 204. In an 
alternate embodiment, controller 206 may wall be 
remotely located and communicatively coupled to net- 
work device 200 and network interface 204. As used 
herein, controller 206 is intended to represent any of a 
number of microprocessors, microcontrollers, program- 
mable logic devices (PLDs). application specific inte- 
grated circuits (ASICs) and the like. 
[0024] As depicted in Figure 2. I/O driven 202 and 
208 provide the physical interface between network 
device 200 and the client network and core network, 
respectively. That is, I/O driver 202 provides an interface 
supporting data communication (bi-directional) with cli- 
ents, e.g., client 112, while I/O driver 208 provides an 



interface supporting data communication (also bi-direc- 
tional) with core devices, e.g., core device 108. Such I/O 
devices are well known in the art and need not be fur- 
ther described here. 

s [0025] In accordance with the illustrated example 
embodiment of Figure 2, network interface 204 is 
shown comprising Decaps/DeMUX unit 210, filter(s) 
212 classifier 214 including profiles 222, routing unit 
216. Encaps/Multiplexer (MUX) 218 and scheduler 220, 

10 each communicatively coupled as shown. As shown, 
Decaps/DeMUX 21 0 receives data packets from a com- 
municatively coupled network via I/O driver 202 and 
translates the data packets from the communication 
protocol employed by the network. 

75 [0026] Filter(s) 212 and classifier 214 are employed 
to identity incoming data traffic adhering to admission 
policy criteria and marks the data packets with an 
appropriate routing classification in accordance with a 
predetermined differentiated services admission policy. 

20 That is, filter 212 provides an indication, or trigger, 
denoting when data packets are received that satisfy fil- 
ter criteria. In accordance with one aspect or the 
present invention, the filters populating filter(s) 212 are 
dynamically provisioned on network interface 204 by 

25 controller 206 in accordance with a admission control 
policy, In one embodiment, controller 206 creates and 
removes specific filters front filter 212 in response to 
control messages from a remote bandwidth broker, e.g., 
bandwidth broker 126. In an alternate embodiment, 

30 controller 206 is a bandwidth broker and 
creases/removes specific filters from filter 212 on its 
own accord, in furtherance of a admission control policy. 
Once in place, filter 212 issues a trigger message to 
controller 206 when data packers are received satisfy- 
as ing the criteria of an installed filter. 

[0027] Classifier 214 functions to classify and mark 
data packets in accordance with their service level. In 
operation, once a trigger is received denoting receipt of 
data packets satisfying the fitter criteria of at least one 

40 filter 212, controller 206 updates the installed profiles 
222 of classifier 214 such that any data packets 
received at classifier 214 satisfying at least one profile 
222 will be marked in accordance with their subscribed 
service level. More specifically, in accordance with one 

45 embodiment of the present invention, the Type of Serv- 
ice (ToS) field in a "header* 1 appended to the data packet 
is marked to denote an appropriate level of service for 
transmission of the data packet. One example of a 
header is provided with reference to Figure 4. 

so [0028] Turning briefly to Figure 4, a graphical illus- 
tration of an example header 400 suitable for use in con- 
junction with the present invention is depicted. As 
shown, in accordance with the illustrated example 
embodiment, header 400 is a byte wide, containing up 

55 to eight separate data fields. Of particular interest with 
respect to the present invention is the Type of Service 
(ToS) field 402. Those skilled in the art will appreciate 
that the number of bits allocated to ToS field 402 deter- 
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mines number of service gradations supported by 
header 400. In accordance with the illustrated example 
embodiment, the ToS field 402 is a one-bit field. Conse- 
quently, ToS field 402 can be marked to differentiate two 
levels of service, associated with a ToS field 402 entry 
of '0* or *1 \ In one embodiment, for example, a ToS field 
402 populated with '0* denotes a best-effort service 
level. Accordingly, when data packets are received 
which do nor satisfy filter criteria, classifier 214 updates 
the ToS field 402 of the header appended to such data 
packers with a '0'. Alternatively, as will be described in 
greater detail below, receipt of data packets satisfying 
filter 212 criteria may result in marking the ToS field 402 
of the header appended to such data packets with a T, 
denoting an expedited forwarding (EF) level of service. 
Those skilled in the art will appreciate that larger ToS 
fields 402 will enable header 400 to support increased 
gradations in service levels. Indeed, the number of serv- 
ice levels may increase exponentially as the number of 
bits allocated to ToS field 402 increases. 
[0029] Returning to Figure 2. in accordance with 
one aspect of the present invention, the provision of pro- 
files 222 to classifier 214 by controller 206 is closely 
monitored. That is, profiles 222 are created by controller 
206 in satisfy individual flows, e.g., transmission of a 
number of related data packets, and are summarily 
removed what the flow no longer exists. Accordingly, a 
network device such as network device 200 incorporat- 
ing the teachings of the present invention minimizes the 
resources dedicated to support filters and classifier pro- 
files by allocating resource to only those filters/classifier 
profiles currently in use. 

[0030] In addition to the foregoing, network inter- 
face 204 includes routing unit 216, Encaps/MUX 218 
and scheduler 220, as shown. Routing unit 216 identi- 
fies and marks to data packets with routing information 
in accordance with the subscribed service level. 
Encaps/MUX 218 places the data packets in the proper 
format for transmission over the data network. Sched- 
uler 220 is used to schedule transmission of data pack- 
ets through I/O driver 208 in accordance with their 
subscribed service level, if congestion on the outgoing 
communication link is detected. Thus, those skilled in 
the art will appreciate that routing unit 216, 
Encaps/MUX 218 and scheduler 220 are typical of 
those used in the data networking art and, thus, need 
not be further described. 

[0031] Thus, in accordance with one aspect of the 
present invention, controller 206 dynamically controls to 
provision of fitters 212 and classifier profiles 222 in 
accordance with a differentiated services admission 
policy, thereby reducing the resources dedicated to sup- 
port differentiated services. 

[0032] Given to foregoing architectural description, 
the operation at example network device 200 incorpo- 
rating the teachings of the present invention will now be 
developed with reference to the flow chart depicted in 
Figure 3. In particular, an example method for dynami- 



cally controlling the provision of differentiated services 
in a data network will be developed with reference to rho 
flow chart depicted in Figure 3, in accordance with one 
embodiment of the present invention. 

s [0033] For ease of explanation, and not limitation, 
the example method depicted in Figure 3 will be devel- 
oped in accordance with an example communication 
session with continued reference to Figures 1 and 2. 
Consider the following, a corporate entity has a number 

w of distributed sites, each having their own respective 
local area network, e.g., LANs 102,104 and 106. In 
order to link these remote sites, the corporate entity has 
contacted with an internet service provider (ISP) to pro- 
vide premium network services between LAN 102 and 

is LAN 1 06 between the hours of 9AM and 5PM via its net- 
work core device 1 08. 

[0034] With reference to Figure 3, the example 
method for controlling the provision of differentiated 
services of core device 108 begins when data packets 

20 are received by a network edge device, e.g., network 
edge device 110, with an initial determination of 
whether a fitter corresponding to the received data 
packets is installed 301 . If not. a further determination is 
made of whether a filter need be installed one network 

25 edge device, block 302. 

[0035] In accordance with the above example 
implementation, bandwidth broker 126 determines at 
9AM that differentiated services have been contracted 
for between LAN 102 and LAN 106 and issues a setup 

so message to install the appropriate filter an an appropri- 
ate network edge device, block 304. More specifically, 
bandwidth broker 126 issues a command to controller 
206 of network edge device 110 incorporating the 
teachings of the present invention to install a filter in f B- 

35 ter(s) 212. In one embodiment, the newly installed filter 
issues a trigger when a source of LAN 102 (e.g., clients 
112, 114 and/or 116) and a destination of LAN 106 
(e.g., clients 120 or 122) are denoted in the received 
data packets. 

40 [0036] In block 306, a determination is made as to 
whether any of the installed filters of filter(s) 212 have 
expired. If so, they as removed from the appropriate net- 
work edge device at block 308. Thus, in accordance 
with one aspect of the present invention, a network 

45 edge device incorporating the teachings of the present 
invention allocates only those resources necessary to 
support filters that are currently needed, thereby reduc- 
ing the overall amount of resources required of the net- 
work device. If the filter has not expired, however, it 

so continues to monitor received data packets for a "hit", 
e.g., a received data packet which satisfies the filter cri- 
teria (e.g., source from LAN 102 and destination within 
LAN 1 06), block 31 0. If the received data packets do not 
satisfy the filter criteria at 310. they are processed in 

55 accordance with the best-effort service paradigm. 312. 
That is, if data packets are received which do not 
adhere to a subscribed service level, the ToS field 402 
of the header 400 appended to the data packets is 
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marked by classifier 214 to denote a best-effort service 
level. 

[0037] If, however, the received data packets satisfy 
at least one installed filter 212 at 310, a further determi- 
nation is made by controller 206 or whether an appropri- 5 
ate classifier profile 222 is installed in classifier 214 to 
appropriately mark the data packets in accordance with 
their subscribed service level, 314. If controller 206 
determined that the necessary profile 222 is not 
installed, controller 206 forwards the trigger notification w 
received from filter 212 to bandwidth broker 126 which 
correlates the trigger notification with the appropriate 
classifier profile, and issues an update message to clas- 
sifier 214 via controller 206, block 316. In one embodi- 
ment, in response to receiving a trigger notification from is 
controller 206, bandwidth broker 126 looks up the 
received trigger in the admissions policy database to 
identify an associated classifier profile 222,316. Once 
the appropriate classifier profile 222 is identified it is 
sent to classifier 214 via controller 206 in an update 20 
message. Once the appropriate profile 222 has been 
installed in classifier 214, classifier 214 marks the ToS 
field 402 of header 400 appended to the received data 
packets in accordance with their subscribed service 
level. In one embodiment, for example, ToS field 402 is 25 
marked to denote a best effort service level, and the 
data packets an subsequently routed in accordance 
with their subscribed service level 318. At 320, a deter- 
mination is made of whether transmission is complete. If 
not, the method continues with black 31 8. 30 
[0038] If transmission is complete, controller 206 
makes a determination of whether to remove the classi- 
fier profile 222. In one embodiment, for example, con- 
troller 206 makes this determination in accordance with 
the service level it supports. For example, if profile 222 35 
supports the highest service level, and the filter has not 
yet expired for chat service level, controller 206 main- 
tains the profile to support the service level with minimal 
delay. If however, profile 222 corresponds to a lower 
service level, controller 206 may remove the profile, 40 
even though the corresponding ulcer remains in place, 
to liberate network interface 204 resources, If, In 322, a 
determination is made to remove the filter, controller 
206 instructs classifier 214 to purge filter 222, and an 
update message is sent to bandwidth broker 1 26 denot- 45 
ing the update. Subsequently, the process continues 
with 

[0039] Thus, in accordance with the above exam- 
ple, controller 206 is responsible for the provision of fil- 
ters 21 2 and classifier profiles 222 necessary to support so 
differentiated services via network edge device 110. in 
one embodiment, controller 206 relies on the informa- 
tion provided by a remote bandwidth broker 126 or 
some other policy server. In an alternate embodiment, 
controller 206 accesses a co-located admission policy ss 
database autonomously, irregardless of where the 
admissions policy database is located, access to the dif- 
ferentiated services of core device 108 is dynamically 
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controlled through the selective provision of trigger fil- 
ters end classifier profiles on network devices, e.g.. net- 
work device 1 1 0, as appropriate. 
[0040] Thus, one method for implementing the 
teachings of the present invention has been described 
with reference to Figures 1-4. Those skilled in the art 
will appreciate, however, that modifications and altera- 
tions to the network topology, header size, network ele- 
ments and differentiated services admission policy can 
be made without deviating from the spirit and scope of 
the present invention. For example, in addition to the 
teachings above in Figures 3, controller 206 may install 
or remove filter(s) 212 or classifier profiles 222 based 
on time of day, received network traffic, and any of a 
number of core network operating parameters (e.g., 
identified faults, etc.). Indeed, such modifications and 
alterations to the above description are anticipated 
within the spirit and scope of the present invention. Hav- 
ing described an example network device incorporating 
the teachings of the present invention with reference to 
Figure 2, and a method of operation in Figure 3, one 
embodiment of an example admission profile database 
is provided wit brief reference to Figure 5. Accordingly, 
Figure 5 illustrates an example two-dimensional admis- 
sion profile database 500, wherein a network adminis- 
trator establishes the filters and profiles for admission to 
be provisioned on appropriate network devices control- 
ling access to differentiated services. Although repre- 
sented as a two-dimensional database, those skilled in 
the art will appreciate that this is of ease of explanation 
only, and that a database of greater or lesser complexity 
may well be substituted for database 500 without deviat- 
ing from the spirit and scope of the present invention. 
[0041] With reference to Figure 5, example admis- 
sion profile database 500 is shown comprising classifi- 
ers 502 and 504 and associated profiles 512-522 
differentiated based on time of day indicators 506, 508 
and 510. In accordance with the illustrated exarrple 
embodiment, the filter established on a network device 
device corresponds to an appropriate one or wait of 
classifiers 502 and 504, such that the filter associated 
with classifier 502 monitors received network traffic for 
data packets emanating from network A (e.g.. LAN 1 02) 
destined for network B (e.g., LAN 106). Accordingly, 
when a hit is received corresponding to classifier 502 
during the hours of 9-5, profile 512 will be installed in 
classifier 214 of network edge device 110 of LAN 102 to 
mark darn packets satisfying the filter criteria in accord- 
ance with their subscribed service level. In accordance 
with to information provided by admission control policy 
database 500, such packets are marked for expedited 
forwarding (EF) with a throughput rate of 10Mbps, no 
burst in accordance with profile 512. Packets corre- 
sponding to classifier 502 received before 9AM or after 
5PM will be marked for best-effort delivery, in accord- 
ance with profiles 514 and 516. Similarly, profiles 518- 
522 denote service level support for network traffic 
defined by classifier 504. Thus, a network device incor- 
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porating the teachings of the present invention Installs 
and removes filters and classHier profiles, defined in an 
admission policy database, on an as-needed, as- 
authorized basis, thereby limiting the network and 
device resources dedicated to supporting the differenti- 5 
ated services of an associated data network. 
[0042] Turning next to Figure 6, an alternate 
embodiment of an example network device incorporat- 
ing the teachings of the present invention is presented. 
Those skilled in the art will recognize that example net- 10 
work device 600 is similar to that of network device 200 2. 
presented above, with the notable exceptions that con- 
troller 206 is depicted integrated with network interface 
204 and the addition of egress classifier/profiler 602. 
Thus, those skilled in the art will appreciate that network 75 
device 600 controls the provision of differentiated serv- 
ices by dynamically installing/removing trigger filters 3. 
and classifier profiles in accordance with an admission 
control policy. In doing so, network device 600, like net- 
work device 200 described more fully above, reduces 20 
the amount of network and management resources 4. 
required to support the differentiated services, thereby 
reducing the overall cost associated with supporting 
such services. 

[0043] In addition to the embodiments described 25 5. 
above, those skilled in the art will appreciate that the 
teachings of the present invention may well be inte- 
grated wit a single integrated circuit (not shown). That 
is. those skilled in the art will appreciate that advances 6. 
in IC fabrication technology now enable complex sys- 30 
terns so be integrated onto a single IC. Thus, in accord- 
ance with one embodiment of the present invention, the 
teachings of the present invention may be practiced 7. 
within an application specific integrated drcuits (ASIC), 
programmable logic devices (PLD), microcontroller, 35 
processor and the like. 6. 
[0044] While the innovative features for controlling 
access to network information sources of the present 
, invention have been described in terms of the above 
illustrated embodiments, those skilled in the art will rec- 40 
ognize that the invention is not limited to the embodi- 
ments described. The present invention can be 
practiced with modification and alteration within the 9. 
spirit and scope of the appended claims. In particular, 
the present invention may be practiced with other fea- 45 
tures and/or feature settings. Particular examples at 
other features include but are not limited to transaction 
communication protocols and architectural attributes. 10. 
Accordingly, the description is to be regarded as illustra- 
tive instead of restrictive on the present invention. so 
[0045] Thus, alternate methods and apparatus for 
dynamically controlling the provision of differentiated 11. 
services incorporating the teachings of the present 
invention have been described. 

55 

Claims 12 - 
1 . An apparatus comprising: 



a network interface, through which the appara- 
tus facilitates communication between a client 
device and a remote device at any of a number 
of alternative service levels; and 
a controller, coupled to the network interface, to 
dynamically create and remove filters control- 
ling access to the different service levels 
based, at least in part, on an admissions pro- 
file. 

The apparatus of claim 1, wherein the filter(s), 
when triggered, initiate an admission control ded- 
sion preventing premature allocation of service 
level resources which are not yet required or 
authorized. 

The apparatus of claim 2, wherein the filters are 
triggered by information contained within received 
data packets. 

The apparatus of claim 3, wherein the filters are 
triggered by one or both of packet source informa- 
tion and packet destination information. 

The apparatus of claim 1, wherein the admissions 
profile is stored in a communicatively coupled 
remote device. 

The apparatus of daim 5, wherein the communica- 
tively coupled remote device is a bandwidth broker 
or other generic policy server. 

The apparatus claim 1, wherein the admissions 
profile is available locally within the apparatus. 

The apparatus of daim 1 , wherein the controller 
establishes an ingress profile in response to detect- 
ing an assodated bigger event, wherein he ingress 
profile modifies the received data packets adhering 
to the filter criteria to denote a particular service 
level, in accordance with the admissions profile. 

The apparatus of daim 8, wherein the controller 
removes ingress profiles when data packets adher- 
ing to the filter criteria are no longer received liber- 
ating apparatus resources. 

The apparatus of claim 8, wherein the controller 
removes ingress profiles after a predetermined 
period of time, liberating apparatus resources. 

The apparatus of daim 1, wherein the controller 
removes filters in accordance with a network 
administration policy. 

The apparatus of claim 1 1 , wherein the controller 
removes filters based, at least in part, on time-of- 
day. 
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13. A method for controlling provision of differentiated 
services in a data network, the method comprising: 

(a) installing a filter on a network edge device 

to provide a trigger notification upon detecting 5 
data packers adhering to fitter criteria, in 
accordance with a network administration pol- 
icy; and 

(b) dynamically creating an ingress profiler 
which polices admission to a particular service 10 
level. 

14. The method of claim 13, further comprising (c) 
marking. the received data packets adhering to the 
fitter criteria according to a subscribed service is 
level. 

15. The method of claim 13, wherein the ingress pro- 
filer polices admission to a particular service level 

by allowing only those received data packets adher- so 
ing to the filter criteria of a particular service level tcT 
proceed at its service level. 
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(54) Method and apparatus for dynamically controlling the provision of differentiated services 



(57) An apparatus comprising a network interface, 
through which the apparatus facilitates communication 
between a client device and a remote device and a con- 
troller is presented. In accordance with one aspect or 
the present invention, the controller, coupled to the net- 



work interface, dynamically creates and removes ad- 
mission filters based, at least in part, on an admissions 
profile that, when triggered, the filter(s) initiate an ad- 
mission control decision preventing premature alloca- 
tion of resources which are not used or authorized. 
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